The letter finally showed up in my mailbox on December 7, 2015 – about eight months after the United States Office of Personnel Management (OPM) first noticed something weird in their database records, and more than twenty months after the hack began.
“Dear FORREST BRAZEAL,” began the letter, which went on to use words like “malicious cyber intrusion”, “Social Security numbers” and “theft of background investigation records”. The letter expressed sympathy for any “concern and frustration” I felt, mentioned that no misuse of my stolen information had yet been detected, and offered a link to some identity protection resources, just in case. For legal reasons, I’m sure, there were no words of apology in the letter.
When the OPM minions – those who haven’t resigned in disgrace – finish licking and stamping, more than twenty million Americans will have received this letter. It’s the latest fallout from one of the largest government data breaches in American history, affecting current federal workers, military service members, families and retirees. And, apparently, me.
It’s not even the theft of my Social Security number that bothers me. Honestly, I’m sure it’s been stolen twenty times by now. That’s just life with an unencrypted numeric master password designed in 1935. Whoever siphoned OPM’s data – the Chinese get the blame, but nobody knows for sure – got a lot more than just numbers. The hackers targeted SF-86 forms, the documents associated with top secret security clearances. Though I don’t currently work for the government, I’ve been through this clearance process, and I can tell you that the information OPM collects about you is extraordinary and goes above and beyond anything that could be revealed in a hack of a retailer, or even your hospital or bank. We’re talking about investigators who track down your childhood friends to find out if there’s anything in your past that can be used to blackmail you, then record that information in OPM’s database. That’s why the perpetrators of this hack aren’t suspected to have a financial motive; it’s much more likely that they’re trying to compile a list of people they can influence within the US government.
So how could such powerful and potentially dangerous data have been exposed so easily, and for so long? As far as I can tell, based on the limited and somewhat contradictory information coming out of OPM, the hack wasn’t dependent on poor encryption or outdated systems. Don’t get me wrong, OPM has plenty of problems in those areas. But it sounds like these particular intruders used valid government credentials to do their dirty work, possibly obtained through good old-fashioned Kevin Mitnick-style social engineering. If anything, this is more infuriating than an elite hacker laying waste to a firewall. There’s no “hats off to the clever devils” in this story. Based on what we know, this attack could have been prevented or mitigated through some simple combination of:
- People not sharing their passwords
- Sysadmins doing their jobs and checking for abnormal access patterns
The fact that the leaks or hacks or whatever went on for a year before anyone noticed – and then only because a third party contractor found them during a sales demo of a forensic tool, which must have been either the greatest or worst demo in the history of mankind – absolutely boggles my mind. It means that the two problems I mentioned above are systemic to the training and culture of OPM. There is no software product or system upgrade that can fix this. People are simply not doing their jobs at the level you demand when working with data this sensitive.
Not to beat the “government agencies don’t operate like real businesses” horse, but I work in cloud operations for a company that hosts some of the largest enterprise applications in the world. I assure you that if we had a breach anywhere near this size, we would not be sending out letters tomorrow. We would not even be firing a few people. We would simply cease to exist as a corporate entity. It would be the CodeSpaces story all over again, only with more lawsuits. Instead, OPM delayed action for months before offering people a couple years of identity monitoring (which ironically requires you to share your personal information with them all over again). The company handling the identity monitoring got a fat contract for the job. Your tax dollars at work!
If there’s a moral to the story (other than “think long and hard before applying for a US security clearance, because the ‘security’ is only one-way”), I guess it’s that we need leaders who can think intelligently about information security. Google the OPM hack and you’ll find a startling amount of technically suspect accusations being flung between politicians about the discovery and causes of this attack – like the oft-repeated, terrifying, and totally irrelevant point that OPM’s data was unencrypted. (The hackers could see what valid OPM system users see. Encryption on the back end, necessary though it is, was not going to stop them.) Let’s stop the partisan posturing and elect people who actually understand the range of security problems these centralized agencies face. My information is already gone. There’s no reason yours should be next.